As we discuss in the Cisco Midyear Security Report, cybersecurity is becoming more of a strategic risk for today’s businesses, creating a growing focus on achieving “security operations maturity.” That’s why Cisco has developed the Security Operations Maturity Model – to help organizations understand how security operations, technologies, and products must evolve to keep up with the pace of change in their environments and increasingly sophisticated attacks. The model plots a journey along a scale of controls that moves from static to human intervention to semi-automatic to dynamic and, ultimately, predictive controls.

Every day I see evidence of why we need to evolve our security capabilities. A perfect example is the Kyle and Stan malicious advertising attack that our Talos Security Intelligence and Research Group discovered and continues to analyze. Ongoing research now reveals that the attack is nine times larger than initially believed and began more than two years ago. The expansiveness and extended period of the campaign reflects the ability of this attack to continuously morph, move quickly, and erase its tracks leaving nearly indiscernible indicators of compromise. To effectively detect and protect against attacks like this, organizations need dynamic controls that see more, learn more, and adapt quickly. Relying exclusively on static controls and human intervention puts defenders at a significant disadvantage and allows attacks to run rampant.

Students arrive in Washington, D.C. wearing embroidered leather jackets with logos and names stitched in bright colors on their sleeves. They’re members of different teams, but not sports teams. They are at the nation’s capitol for CyberPatriot’s National Youth Cyber Defense competition, the largest high school cyber defense competition in the United States.

By volunteering as mentors, we as Cisco employees can impact the future generations of network professionals who will protect the Internet of Everything from breaches and threats that are becoming more common as people, processes, data, and things become more connected.

CyberPatriot’s competition was created by the Air Force Association (AFA) in 2009 to inspire high school students to pursue careers in cybersecurity. Bernie Skoch, CyberPatriot National commissioner, stresses the importance of cybersecurity training as the number of breaches become more common on the Internet.

“There are 15,000 attacks per second in the United States,” he said. “We have a dire need for cybersecurity professionals in the United States, but we frankly aren’t drawing enough young men and young women” to the field.

More organizations are starting to view cybersecurity as a strategic risk. They have to—it’s becoming unavoidable. Technology and the business are so intertwined. Regulators are issuing more compliance measures that include information security directives. And all the while, adversaries are relentless in their campaigns to compromise defenses to steal information, money, or otherwise create disruption.

The HAVEX worm is making the rounds again. As Cisco first reported back in September 2013, HAVEX specifically targets supervisory control and data acquisition (SCADA), industrial control system (ICS), and other operational technology (OT) environments. In the case of HAVEX, the energy industry, and specifically power plants based in Europe, seems to be the primary target. See Cisco’s security blog post for technical details on this latest variant.

When I discuss security with those managing SCADA, ICS and other OT environments, I almost always get the feedback that cybersecurity isn’t required, because their systems are physically separated from the open Internet. This practice, referred to in ICS circles as the “airgap”, is the way ICS networks have been protected since the beginning of time; and truth be told, it’s been tremendously effective for decades. The problem is, the reality of the airgap began to disappear several years ago, and today is really just a myth.

Today, networks of all types are more connected than ever before. Gone are the days where only information technology (IT) networks are connected, completely separated from OT networks. OT networks are no longer islands unto themselves, cut off from the outside world. Technology trends such as the Internet of Things (IoT) have changed all of that. To gain business efficiencies and streamline operations, today’s manufacturing plants, field area networks, and other OT environments are connected to the outside world via wired and wireless communications – in multiple places throughout the system! As a result, these industrial environments are every bit as open to hackers and other cyber threats as their IT counterparts. The main difference, of course, is that most organizations have relatively weak cybersecurity controls in these environments because of the continued belief that an airgap segregates them from the outside world, thereby insulating them from cyber attacks. This naivety makes OT environments an easier target.

The authors of HAVEX certainly understand that OT environments are connected, since the method of transmission is via a downloadable Trojan installed on the websites of several ICS/SCADA manufacturers. What’s considered a very old trick in the IT world is still relatively new to those in OT.

It’s absolutely essential that organizations with ICS environments fully understand and embrace the fact that IT and OT are simply different environments within a single extended network. As such, cybersecurity needs to be implemented across both to produce a comprehensive security solution for the entire extended network. The most important way to securely embrace IoT is for IT and OT to work together as a team. By each relinquishing just a bit of control, IT can retain centralized control over the extended network – but with differentiated policies that recognize the specialized needs of OT environments.

We’ll never completely bulletproof our systems, but with comprehensive security solutions applied across the extended network that provide protection before, during, and after an attack, organizations can protect themselves from most of what’s out there. A significant step in the right direction is to understand that the airgap is gone forever; it’s time to protect our OT environments every bit as much as we protect our IT environments.

The fire alarm went off in my building again, but fortunately, it was only a drill. By now, we are all used to the periodic fire drills for emergency preparedness in our workplaces. But have you ever wondered if there is a similar exercise possible for a cyber attack? The same logic applies. Your team will be better prepared to handle a disaster if they are trained for it.

Seeing is believing: Today I am excited to share this video from our Cisco Korea team that showcases Cisco CyberRange.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.